/SharpAllTheThings

The idea is to collect all the C# projects that are Sharp{Word} that can be used in Cobalt Strike as execute assembly command.

SharpAllTheThings

The idea is to collect all the C# projects that are Sharp{Word} that can be used in Cobalt Strike as execute assembly command. Credit the name to the amazing PayloadAllTheThings github repo (https://github.com/swisskyrepo/PayloadsAllTheThings)

Execution

  1. SharpWMI - implementation of various WMI functionality. This includes local/remote WMI queries, remote WMI process creation through win32_process, and remote execution of arbitrary VBS through WMI event subscriptions. Alternate credentials are also supported for remote methods.
  2. SharpGPOAbuse - take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.

Persistence

  1. SharpPersist - Windows persistence toolkit written in C#.
  2. SharpStay - .NET project for installing Persistence

Privilege Escalation

  1. SharpUp - port of various PowerUp functionality

Defense Evasion

  1. SharpCradle - download and execute .NET binaries into memory.

Credential Access

  1. SharpLocker - helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike.
  2. SharpDPAPI - port of some DPAPI functionality from @gentilkiwi's Mimikatz project.
  3. SharpDump - port of PowerSploit's Out-Minidump.ps1 functionality.
  4. SharpWeb - Retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge.
  5. SharpCookieMonster - Extracts cookies from Chrome.

Discovery

  1. SharpHound - Uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment, executes collection options necessary to populate the backend BloodHound database.
  2. SharpWitness - C# version of EyeWitness by Christopher Truncer. Take screenshots of websites, provide some server header info, and identify default credentials if possible.
  3. SharpDomainSpray - very simple password spraying tool written in .NET. It takes a password then finds users in the domain and attempts to authenticate to the domain with that given password.
  4. SharpSniper - Find specific users in active directory via their username and logon IP address
  5. SharpFruit - Port of Find-Fruit.ps1, aid Penetration Testers in finding juicy targets on internal networks without nmap scanning.
  6. SharpPrinter- tool to enumerate all visible network printers in local network
  7. SharpView - C# implementation of harmj0y's PowerView
  8. SharpSearch - Search files for extensions as well as text within.
  9. SharpClipHistory - Read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
  10. SharpClipboard - Monitor of the clipboard for any passwords

Lateral Movement

  1. SharpCom - port of Invoke-DCOM, Execute's commands via various DCOM methods as demonstrated by (@enigma0x3)
  2. Sharpexcel4_dcom - Port of Invoke-Excel4DCOM, Lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)
  3. SharpExec - C# tool designed to aid with lateral movement
  4. SharpRDP - Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
  5. SharpMove - .NET Project for performing Authenticated Remote Execution

Exfiltration

  1. SharpBox - Tool for compressing, encrypting, and exfiltrating data to DropBox using the DropBox API.

Other projects which doesn't start with Sharp something but absolutely worth knowing about:

  1. Rubeus - toolset for raw Kerberos interaction and abuses.
  2. SafetyKatz - combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
  3. Seatbelt - project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
  4. Watson - Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
  5. ADFSDump - dump all sorts of goodies from AD FS.
  6. OffensiveCSharp - Collection of Offensive C# Tooling
  7. CredSniper - Prompts the current user for their credentials using the CredUIPromptForWindowsCredentials WinAPI function. Supports an argument to provide the message text that will be shown to the user.
  8. EncryptedZIP -Compresses a directory or file and then encrypts the ZIP file with a supplied key using AES256 CFB. This assembly also clears the key out of memory using RtlZeroMemory. Use the included Decrypter progam to decrypt the archive.
  9. SessionSearcher - Searches all connected drives for PuTTY private keys and RDP connection files and parses them for relevant details. Based on SessionGopher by @arvanaghi.
  10. UnquotedPath - Outputs a list of unquoted service paths that aren't in System32/SysWow64 to plant a PE into.
  11. Internal Monologue - Retrieving NTLM Hashes without Touching LSASS
  12. InveighZero - Windows C# LLMNR/mDNS/NBNS/DNS spoofer/man-in-the-middle tool
  13. SCShell - fileless lateral movement tool that relies on ChangeServiceConfigA to run commands.
  14. ATPMiniDump - Dumping LSASS memory with MiniDumpWriteDump on PssCaptureSnapShot to evade WinDefender ATP credential-theft.
  15. RdpTheif - Extracting Clear Text Passwords from mstsc.exe using API Hooking.
  16. Spray-AD - audit Active Directory user accounts for weak, well known or easy guessable passwords.
  17. Recon-AD - an AD recon tool based on ADSI and reflective DLL’s
  18. Zipper - a CobaltStrike file and folder compression utility.
  19. Grouper2 - A tool for pentesters to help find security-related misconfigurations in Active Directory Group Policy.